Wireless carriers Verizon, AT&T, Sprint and T-Mobile are putting customers at risk by failing to fix well-known security vulnerabilities on Android phones, according to the American Civil Liberties Union (ACLU).

The ACLU has filed a complaint with the Federal Trade Commission, asking the FTC to investigate the companies for failing to warn of these flaws – present in “millions” of smartphones running versions of Android. The group has filed a 16-page complaint alleging that wireless carriers are engaging in ““unfair and deceptive business practices” by failing to provide updates for devices with known security vulnerabilities.

“Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched,” said the ACLU in a blog post.

“For consumers running these devices, there is no legitimate software upgrade path. The problem isn’t that consumers aren’t installing updates, but rather, that updates simply aren’t available. Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners.”

The ACLU compares this with the situation on PC and Mac, where security updates arrive regularly from Apple and Microsoft. The group suggests that the FTC should force carriers to offer refunds to consumers if they fail to supply security updates.

David Harley, Senior Research Fellow at ESET, says, “One of the reasons that Android security is so patchy – no pun intended – is indeed the inconsistency between phone providers when it comes to providing security updates. I think it’s a bit harsh to push the responsibility for that onto the carriers, though, rather than the hardware providers. A bit like blaming Microsoft for a problem with a specific brand of PC. It’s not just about Android, either: phones that use Java apps are also vulnerable to inconsistent patching practice.”